Hi,
Were setting up a Panasonic PBX on our network. Phones will connect to it locally and via the internet (Remote Phones). The phone system installer said we needed to disable SIP ALG in the router.
I've found that we could disable SIP here: IP > Firewall > Service Ports.

In Service Ports, there's also : (Quotes are from Wikipedia)
h323: "Within the context of H.323, an IP-based PBX might be a gatekeeper or other call control element which provides service to telephones or videophones. Such a device may provide or facilitate both basic services and supplementary services, such as call transfer, park, pick-up, and hold."
dccp: "DCCP is useful for applications with timing constraints on the delivery of data. Such applications include streaming media, multiplayer online games and Internet telephony"
sctp : "The designers of SCTP originally intended it for the transport of telephony"

To prevent troubles, I wonder, should we also disable h323, dccp and sctp (in addition to sip)? Or will it cause other troubles with the other usages the users do with the network?

Hi Jim,

I install Panasonic PBXs as well and I have only disabled the SIP ALG. I have not touched the others, H323 etc.

Seems to work for me.

Cheers, Dave.

Your PBX is SIP, not h323, etc. So ignore the others.

I've had problems with SIP ALG on SonicWall, but never with Mikrotik so I've always left it enabled.

I install Panasonic PBXs as well and I have only disabled the SIP ALG. I have not touched the others, H323 etc. Seems to work for me.
Cheers, Dave.

Good to know Dave. Were you using Mikrotik on your Panasonic PBXs jobs?

Your PBX is SIP, not h323, etc. So ignore the others.
I've had problems with SIP ALG on SonicWall, but never with Mikrotik so I've always left it enabled.

Hi Van9018. So you didn't bother to do the ports forwarding for RTP, MGCP, PTAP, SIP Trunk? Just configured the ports in the SIP ALG? Or you did set the ports forwarding, but just left SIP ALG alone?

I don't do port forwarding. Your PBX has to register against the VoIP provider every few minutes (usually 2 minutes). This keeps the UDP port 5060 open and forwarded to your PBX naturally.

I also don't use a STUN server because the ALG is supposed to fix that. The ALG is supposed to monitor the SIP packets and replace my PBX's private IP with my public IP. Additionally, when a call needs to be established, the ALG will inspect the SIP packets and automatically forward RTP ports to my PBX. If port translation is required, it should handle that too. However the ALG will not work at all if you're using secure SIP, the ALG can't view the encrypted packets.

If you have handsets outside of the office that are trying to connect to your public IP to reach the PBX, then maybe you might have to forward port 5060. Your remote handsets will likely be behind NAT, so it would be ideal if the remote handsets used Mikrotik as their router as well.

I don't do port forwarding.

Well that's interesting. I guess that's something we could've try. But since everything is working well now (with the port forwarding and SIP ALG off), I'll leave it as is right now.

We do have remote handsets. The connections are unencrypted.

Just out of curiosity, what are the setting we need to set for the SIP ALG? I see the default shows 2 ports. Are those the ports used by the SIP trunk provider? Our SIP trunk provider only use 1 port.
Do you check "SIP Direct Media". What do you use for the SIP Timeout?

Port 5060 is for unencrypted SIP. Port 5061 is for encrypted SIP. However if SIP is encrypted, then the Mikrotik can't inspect and rewrite SIP packets. I don't know why Mikrotik lists 5061.

A PBX will typically route all audio through itself. But it's possible to configure your PBX to route audio directly between handsets. This is what SIP Direct Media means. If you turn that off, then the Mikrotik will block handset-to-handset audio that tries to traverse between layer 3 interfaces. I have always left it on although but it makes sense to turn it off if your audio will always go through the PBX.

I've also left the timeout to the default of 1 hour. Your provider will likely expect your PBX to register every x amount of minutes. That lets the provider know your PBX is still online. For most PBXs I think they default at registering every 2 minutes. So I imagine you could lower this timeout, although I can't see how that would increase security whatsoever.

I think most people have success not using ALG and statically setting port forwarding. Using ALG seems like a cleaner and more correct solution, given the ALG implementation actually works correctly. It appears Mikrotik got it right and that's actually the very first reason I started using Mikrotik routers.

And as for h323 and the others, you can disable those too as they are alternatives to SIP, you're not using them.

Nice explanation Van9018. Thanks for that! It's much clearer now.

And as for h323 and the others, you can disable those too as they are alternatives to SIP, you're not using them.

Cool! I will disable them.

I don't do port forwarding. Your PBX has to register against the VoIP provider every few minutes (usually 2 minutes). This keeps the UDP port 5060 open and forwarded to your PBX naturally.

I also don't use a STUN server because the ALG is supposed to fix that. The ALG is supposed to monitor the SIP packets and replace my PBX's private IP with my public IP. Additionally, when a call needs to be established, the ALG will inspect the SIP packets and automatically forward RTP ports to my PBX. If port translation is required, it should handle that too. However the ALG will not work at all if you're using secure SIP, the ALG can't view the encrypted packets.

If you have handsets outside of the office that are trying to connect to your public IP to reach the PBX, then maybe you might have to forward port 5060. Your remote handsets will likely be behind NAT, so it would be ideal if the remote handsets used Mikrotik as their router as well.

Hi Van,
Our PBX uses 192.168.23.101.
Our DSP uses 192.168.23.102.

Currently the RTP ports are manually forwarded to 192.168.23.102.

Can the SIP ALG detect that and auto forward all the RTP ports to the DSP?